SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 21:01:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Manage github ssh-keys with sops

Browse source
This commit is contained in:
SebastianStork 2024-07-05 15:04:57 +02:00
parent c1cba95e02
commit ae4a2e5b72
10 changed files with 92 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.sops.yaml
View file

@ -15,9 +15,13 @@ creation_rules:
- age: - age:
- *admin - *admin
- *inspiron - *inspiron
- path_regex: users/seb/secrets.yaml$ - path_regex: users/seb/@north/secrets.yaml$
key_groups: key_groups:
- age: - age:
- *admin - *admin
- *seb-north - *seb-north
- path_regex: users/seb/@inspiron/secrets.yaml$
key_groups:
- age:
- *admin
- *seb-inspiron - *seb-inspiron

4
flake.nix
View file

@ -58,7 +58,7 @@
}; };
modules = [ modules = [
./hosts/north ./hosts/north
"${self}/users/seb/@north.nix" "${self}/users/seb/@north"
]; ];
}; };
inspiron = nixpkgs.lib.nixosSystem { inspiron = nixpkgs.lib.nixosSystem {
@ -67,7 +67,7 @@
}; };
modules = [ modules = [
./hosts/inspiron ./hosts/inspiron
"${self}/users/seb/@inspiron.nix" "${self}/users/seb/@inspiron"
]; ];
}; };
}; };

7
modules/home-manager/git.nix
View file

@ -9,7 +9,12 @@
userEmail = "sebastian.stork@pm.me"; userEmail = "sebastian.stork@pm.me";
extraConfig.init.defaultBranch = "main"; extraConfig.init.defaultBranch = "main";
}; };
programs.lazygit.enable = true; programs.lazygit.enable = true;
sops.secrets.github-ssh-key.path = "${config.home.homeDirectory}/.ssh/github";
programs.ssh = {
enable = true;
matchBlocks."github.com".identityFile = "~/.ssh/github";
};
}; };
} }

9
modules/home-manager/sops.nix
View file

@ -4,7 +4,7 @@
config, config,
lib, lib,
... ...
}: }@moduleArgs:
{ {
imports = [ inputs.sops-nix.homeManagerModules.sops ]; imports = [ inputs.sops-nix.homeManagerModules.sops ];
@ -13,7 +13,12 @@
config = lib.mkIf config.myConfig.sops.enable { config = lib.mkIf config.myConfig.sops.enable {
sops = { sops = {
age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ]; age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
defaultSopsFile = "${self}/users/${config.home.username}/secrets.yaml"; defaultSopsFile =
let
hostName = moduleArgs.osConfig.networking.hostName or "";
hostDir = if hostName != "" then "/@" + hostName else "";
in
"${self}/users/${config.home.username}${hostDir}/secrets.yaml";
}; };
}; };
} }

8
users/seb/@inspiron.nix → users/seb/@inspiron/default.nix
View file

@ -1,10 +1,14 @@
{ wrappers, ... }: { wrappers, ... }:
{ {
imports = [ ./default.nix ]; imports = [ ../default.nix ];
home-manager.users.seb = { home-manager.users.seb = {
home.stateVersion = "23.11"; home.stateVersion = "23.11";
myConfig.theme = "light";
myConfig = {
theme = "light";
sops.enable = true;
};
home.packages = [ wrappers.hyprlock ]; home.packages = [ wrappers.hyprlock ];

30
users/seb/@inspiron/secrets.yaml Normal file
View file

@ -0,0 +1,30 @@
github-ssh-key: ENC[AES256_GCM,data:ahboYxvvd8QuDT7BKpAfqCJzUnhoWpsHmAP5RIy0fVnetIEZFVMgf1tAgchqkisG05mQRPp17xMIsGaeZG0WrPEct1l5VhLjC7cgxBgFM/pMlfxAJUaZQG8pIKUMtlpDmpdRO1SW+8wUOwNNyWoo2yd513XGM04L91QdUYXRe12YsGz+JddJSGgQd/3PZJknDhI/NGCBCj25u9oIfhw6aYdsrEYTbeFIO8lomCgLb1AlITwwQFqcyCzV42Ifk/v2KoCK6JO7mvAb1rtOqwCUm6r6rfyv8Hy2P5ckGmu8/h4ZzaccuhWZQyFhhxFMYJFHEejqnZFehGL+EV4JxXzBQuL2mrZmDfC9sNsresZSkM9CL6+ZvYq3X9eldLLGt9m3Hx6a7+dTTnLVvqz2ycmbR/EHY6BkQ6rd2FomjBIFWubBCa76UPOT7uuwY3ebtB/aHtKf+nqrkYiWDpoIpI7o7hr85j65IMEGvyqJqYxJN4mI/z3yreOfbUTv+3ymExeqeTdQLb/ryD9Kk/GzZtXa,iv:9yf3/tzhvKbI2T5NA5cWdjuVVfPCVKDou84SKvEVG4M=,tag:437owh8BgJ7urnVuW2PzyQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycGk0NkU2Tk0yeE44SkdM
d2o1dEc0L3ZCdzR3K01yWEUremE0bU5VYWw0Ci9VTWFWRmZaNW5QTWIzRWVOTXZJ
NnhBRjB6NjdkWTJjRFFxSWtCV3JiajAKLS0tIHZ2ZmwvMEpKMVJENW1SL0l3djg3
eTJzVWRRUGVnbCtKeHl1RUZyQVpYVjQKsEONBZ4osct2OGT1n43MM3ghYtXyjXi0
L7GXOOEHXEDrQh9mfUCmv0yiBB3J3WGO+BIcnrinLPVoyICP6pKHqg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1s9h9hh8f0vudwn4awr90mj0ka2xh9gppwus0jmvmaz3j3uckz94s36gzkz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSDN1T05ZL3hwdXZlTi91
QmR1UmdVa1BRNjZOc0FWY2xYTE0welE1OVVjCjdQUWxBWFFQLzYzSGZjSWx5Nk9Q
QWZ5cGx3UkY3WkIwYmd2cWYycXlySFkKLS0tIHdDdURYZ3RIRGRNNTdQZ0E0REVN
LzNhelFLTWhqd1FxazMzdmNXZnVwODAKQqwbkhPmBliuWpvrDbMn50yxYx8izVGE
XsSeOv9OEKmxiWUJX928vxBNUm8cLtOazvRbdTxgbiAgHWIoEv4mUg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-04T22:45:41Z"
mac: ENC[AES256_GCM,data:8spcUd/bcvLIWU+a9Zbf9TKfWAHhqdkU0vtsuiTY6CkXmja5HsTiQ0kqfUgcmE2c+vM7PaXqIRV/4j/6tcaAiYly/+Y9uKGIhjs8QoRsP7NVvnUsNO1rc13yEFPe5c1DVZrTxbKAFWV9N66h6Qm1ZVkpCS2YqTUa7Jdo006oGNI=,iv:jc2F3IcXR1bCNNvvnCvNMS+UfnKWuxHvOhis0bQ6Yuc=,tag:la5RA3dCisEwUWbgRf9OHA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

8
users/seb/@north.nix → users/seb/@north/default.nix
View file

@ -1,10 +1,14 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
imports = [ ./default.nix ]; imports = [ ../default.nix ];
home-manager.users.seb = { home-manager.users.seb = {
home.stateVersion = "23.11"; home.stateVersion = "23.11";
myConfig.theme = "dark";
myConfig = {
theme = "dark";
sops.enable = true;
};
home.packages = [ home.packages = [
pkgs.ffmpeg pkgs.ffmpeg

30
users/seb/@north/secrets.yaml Normal file
View file

@ -0,0 +1,30 @@
github-ssh-key: ENC[AES256_GCM,data:j8+ZA2oLeRbd8SeOELiV8UUYIreKUqg5SEkpaRshZDeiEoHEd7JCrShFY378aqWPBKqi6OZOI69dU/oBqXRnVzRhJCJb0GdeWItcOt85EtwPdMg6zDno3h3pnnkxd+9BsUZRx9WPh9uihxfk78tB/I9XN9Xl3kjBEBZrV0PUJQkYzbZ6HXHOIzz0k5ysEiGkscP/NQNQ8nnYpDZDz/BHhyJEcbaUXDgIVlbIskzfoWFIjRH+kpxgkwikwhAV7DBFex/CbLqwUvT53q0S8k0tHKf/HPdc84vPfl5sNT0iy4qxLt/l1mJZYjGyFJYdz5G7xSZnTE05bEEOLPAfAt7gIOzTETi+ZByzvEyu3VJah4SiJCbel9DZxqF1fxBXGhAExA6Lo6Q5QbuJZISCXFK4SZW+M30cA2WbRKL1aThix2eFRI9XJKvWMscyqo1do8xhdSy1ZZwRHD+MHWTuh8L/gVLevf4CuZLAQfguNhKGzpCBZNPABx2vSLxwtS+brJxyJOPSdNa3+Wuh+N01aJv3,iv:Tr2mM8/uQjORcXi3g2dcEPp1lXBOC/1ykKUJkNFOLZI=,tag:LPiiFUeu0Csjb6qrGdXsAA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3emxtSHRwaTE2c3VJamxz
OUl3TkRUbmE2d2h5a0tLQ2ozc1RMdWZ1UXl3CnhuaUU1Um1pRUtpcFlPeEtKdkRB
UHFsT3RDSFBHR3BrVkxnYTk1ZFRjN1EKLS0tIEpLVFEyRk94dFQzanlpT2VpT08r
M2ZIaUFuajdUYld0VW5BaTY3VnptNkUKVI5zsOnQv8pAqjpvyFaRhYDROXlb9v4N
zQG2C/GiZYiBIIw8KqAcuAxpH6FmBZ2S6hx7gd045l8uhv2hO6zT+A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWExIaWprNmNlVXpXM09E
b1JsWG14L05BVXVCdzNDQmgxQ0VsMis5ZnhrCjVOS0VpRi9DbEF2OXUwbTUvOEJH
eG1PYnJLc01MbzFnVXFHcWtTY3d2bVUKLS0tIERHcmxmK2RtUmNDdHV4Zm9kWHlT
RWtJdlNqRkU3OC9KVGhpcC9QcW5WTG8K+TYbo8tudt7mYuBce5n5ShuqcXkPA80e
avMoxXZ74tZEWz8qaQtgMR6ayeUU+3p2sHoY5ayHfmzmjljt/CCwvw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-04T22:03:44Z"
mac: ENC[AES256_GCM,data:sDT9OQf1hNWaARnsdL1K5S1uthySEtrPauRkeEEgpUo0Li4DhqAUY9TJHKG8UIG9eZ8WduIKm8ciUGx7zSkgWflGx3o3dmkVpTRKz73HLmU5SqQoZ0r8xLR2mVtqxhy3c5WWVp9mKRKt+lH98SyPVpU5aXX5KWAuTm+nBdQu4+E=,iv:bWWUklD5CWHoOGTY3/J34mtV430xCfX6QvVigXgrFIE=,tag:eM3sXD1o2K1hYqcSatU2qw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

1
users/seb/home.nix
View file

@ -10,7 +10,6 @@
git.enable = true; git.enable = true;
vscode.enable = true; vscode.enable = true;
equalizer.enable = true; equalizer.enable = true;
sops.enable = false;
night-light.enable = true; night-light.enable = true;
}; };

0
users/seb/secrets.yaml
View file